From 945e76a206b09fc2c509c8e9b92fbead1969f139 Mon Sep 17 00:00:00 2001 From: Ryan Williams Date: Mon, 14 Apr 2025 17:05:57 +0100 Subject: [PATCH 1/2] rename variables and add comments --- .../users-permissions/strapi-server.js | 35 +++++++++++-------- 1 file changed, 20 insertions(+), 15 deletions(-) diff --git a/backend/src/extensions/users-permissions/strapi-server.js b/backend/src/extensions/users-permissions/strapi-server.js index 03b57be..269a29d 100644 --- a/backend/src/extensions/users-permissions/strapi-server.js +++ b/backend/src/extensions/users-permissions/strapi-server.js @@ -84,7 +84,10 @@ module.exports = (plugin) => { } if (provider === 'local') { - const { identifier, signedData } = params; + + // todo also add the message that was signed over by the wallet + // const { expectedIdentifier, signedMessage, expectedSignedMessage } = params; + const { identifier, signedMessage } = params; let userInfo = ctx?.state?.user; @@ -92,27 +95,29 @@ module.exports = (plugin) => { throw new ValidationError('identifier was not provided'); } - if (!signedData) { + if (!signedMessage) { throw new ValidationError('signData object was not provided'); } - const decoded = COSESign1.from_bytes( - Buffer.from(signedData.signature, 'hex') + const receivedCOSESig = COSESign1.from_bytes( + Buffer.from(signedMessage.signature, 'hex') ); - const key = COSEKey.from_bytes(Buffer.from(signedData.key, 'hex')); - const pubKeyBytes = key + const receivedCOSEKey = COSEKey.from_bytes(Buffer.from(signedMessage.key, 'hex')); + const receivedPublicKeyBytes = receivedCOSEKey .header(Label.new_int(Int.new_negative(BigNum.from_str('2')))) .as_bytes(); - const publicKey = PublicKey.from_bytes(pubKeyBytes); - const signature = Ed25519Signature.from_bytes(decoded.signature()); - const receivedData = decoded.signed_data().to_bytes(); - - // Remove network id from identifier - const rawKeyHash = userInfo ? identifier : identifier.slice(2); - + const receivedPublicKey = PublicKey.from_bytes(receivedPublicKeyBytes); + const receivedSignature = Ed25519Signature.from_bytes(receivedCOSESig.signature()); + const receivedDataBytes = receivedCOSESig.signed_data().to_bytes(); + + // Remove network id from identifier, if included + const expectedKeyHash = userInfo ? identifier : identifier.slice(2); + + // Check the received key hash matches the received signature + // and check that the received key hash matches the expected key hash const isVerified = - publicKey.verify(receivedData, signature) && - rawKeyHash === publicKey.hash().to_hex(); + receivedPublicKey.verify(receivedDataBytes, signature) && + expectedKeyHash === receivedPublicKey.hash().to_hex(); if (!isVerified) { throw new ApplicationError('Verification failed'); From e305db2335f046e0b68035c83e0982fe842765ee Mon Sep 17 00:00:00 2001 From: Ryan Williams Date: Mon, 14 Apr 2025 19:20:28 +0100 Subject: [PATCH 2/2] make naming more consistent --- backend/src/extensions/users-permissions/strapi-server.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/backend/src/extensions/users-permissions/strapi-server.js b/backend/src/extensions/users-permissions/strapi-server.js index 269a29d..e6240dd 100644 --- a/backend/src/extensions/users-permissions/strapi-server.js +++ b/backend/src/extensions/users-permissions/strapi-server.js @@ -108,7 +108,7 @@ module.exports = (plugin) => { .as_bytes(); const receivedPublicKey = PublicKey.from_bytes(receivedPublicKeyBytes); const receivedSignature = Ed25519Signature.from_bytes(receivedCOSESig.signature()); - const receivedDataBytes = receivedCOSESig.signed_data().to_bytes(); + const receivedMessageBytes = receivedCOSESig.signed_data().to_bytes(); // Remove network id from identifier, if included const expectedKeyHash = userInfo ? identifier : identifier.slice(2); @@ -116,7 +116,7 @@ module.exports = (plugin) => { // Check the received key hash matches the received signature // and check that the received key hash matches the expected key hash const isVerified = - receivedPublicKey.verify(receivedDataBytes, signature) && + receivedPublicKey.verify(receivedMessageBytes, signature) && expectedKeyHash === receivedPublicKey.hash().to_hex(); if (!isVerified) {